Spring OAuth2 ResourceServer dependency hell

Question

I want to implement a resource server (Spring Boot Rest Backend and secured via OAuth2 with JWT).

I get a resource server running which processes JWT tokens from Keycloak Authentication Server. But there are still gaps in my knowledge how to verify JWT tokens.

A deeper look at the Spring reference documentation opens the Hellmouth.

In the Spring OAuth2 Boot Reference there is a link to a feature matrix. This matrix lists the following spring options for implementing a resource server.

• Spring Security OAuth (2.2.+)
• Spring Security (5.1.+)
• Spring Cloud Security (1.2.+)
• Spring Boot OAuth2 (1.5.x)

But now I have found the following dependency

• 'org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.6.RELEASE'

Which Spring Project or Starter does this dependency refer to? Is the matrix outdated? And if so, where can I find a current overview of the selection of a suitable solution for implementing a resource server?

It's all very opaque, can anyone bring some light into this darkness?

Answer 1

Which Spring Project or Starter does this dependency refer to? Is the matrix outdated?

The reference you link to, and the spring-security-oauth2-autoconfigure dependency, are for OAuth projects that are now in maintenance mode. As the feature matrix mentions, Spring Security 5 is meant to replace all the previous OAuth projects that were being developed separately. However, Spring Security 5 still doesn't offer support for creating an authorization server, so it's not quite there yet. But since you're implementing a resource server, Spring Security 5 is definitely the way to go.

And if so, where can I find a current overview of the selection of a suitable solution for implementing a resource server?

Check out the Spring Security 5 documentation for detailed information on how to implement a resource server.

Tip #1: As was mentioned, there are a ton of tutorials for the "outdated" Spring Security OAuth project. Whenever you see the @EnableResourceServer annotation, you'll know it's the old way of doing things.

This is the "Spring Security 5 way": http.oauth2ResourceServer().

Tip#2: If you're using Spring Boot, you'll need the following dependencies:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-resource-server</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-jose</artifactId>
    </dependency>

Why? Well you need the starter to use Spring Security 5. And the docs explain why you need the last 2:

Most Resource Server support is collected into spring-security-oauth2-resource-server. However, the support for decoding and verifying JWTs is in spring-security-oauth2-jose, meaning that both are necessary in order to have a working resource server that supports JWT-encoded Bearer Tokens.